From 9f3396f79d5f2b4a6d19f0a55f998a3de19949b8 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 11 Sep 2025 16:10:32 -0400 Subject: [PATCH 1/6] updating Azure AD Global Administrator Role Assigned --- ...re_global_administrator_role_assigned.toml | 50 +++++++++++-------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 4e7b23074b2..79a88a71988 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,39 +2,38 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/11" [rule] author = ["Elastic"] description = """ -In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator -is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD +In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator +is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all -subscriptions and their settings and resources. +subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs*"] language = "kuery" license = "Elastic License v2" -name = "Azure AD Global Administrator Role Assigned" +name = "Microsoft Entra ID Global Administrator Role Assigned" note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. +### Investigating Microsoft Entra ID Global Administrator Role Assigned -### Investigating Azure AD Global Administrator Role Assigned - -Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. +Microsoft Entra ID's Global Administrator role grants comprehensive access to manage Microsoft Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. ### Possible investigation steps -- Review the Azure audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name. +- Review the Microsoft Entra ID audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name. - Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator". - Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event. - Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access. - Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered. - Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects. +- Correlate with Microsoft Entra ID sign-in logs to check for any unusual login patterns or failed login attempts associated with the user who assigned the role. +- Review the reported device to determine if it is a known and trusted device or if it raises any security concerns such as unexpected relationships with the source user. ### False positive analysis @@ -52,24 +51,33 @@ Azure AD's Global Administrator role grants comprehensive access to manage Azure - Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices. - Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles. - Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ + "https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", + "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/" ] risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and -azure.auditlogs.operation_name:"Add member to role" and -azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\"" +event.dataset:azure.auditlogs and + azure.auditlogs.properties.category:RoleManagement and + azure.auditlogs.operation_name:"Add member to role" and + azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: ("\"Global Administrator\"" or "Global Administrator") ''' From 84436d9ee0b390cd8a9e5d72f12fa1bef34fe600 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 11 Sep 2025 16:25:11 -0400 Subject: [PATCH 2/6] removed logic changes as it only effects outside of PIM. Adding a different rule for these --- .../persistence_azure_global_administrator_role_assigned.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 79a88a71988..c91ff17b50d 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -77,7 +77,7 @@ query = ''' event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:"Add member to role" and - azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: ("\"Global Administrator\"" or "Global Administrator") + azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: ("\"Global Administrator\"") ''' From 80031eb777a6300d83c851bf90a1ca828adf8360 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 11 Sep 2025 16:25:51 -0400 Subject: [PATCH 3/6] slight change to query --- .../persistence_azure_global_administrator_role_assigned.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index c91ff17b50d..d962988178b 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -77,7 +77,7 @@ query = ''' event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:"Add member to role" and - azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: ("\"Global Administrator\"") + azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\"" ''' From a5e2cdadd5aa9ace2004521d3f27489fe118339d Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 15 Sep 2025 11:44:47 -0400 Subject: [PATCH 4/6] tuning rule Microsoft Entra ID Elevated Access to User Access Administrator --- ...ntra_id_elevate_to_user_administrator_access.toml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 232a1364d34..0b4a239bce0 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/09/15" [rule] author = ["Elastic", "Austin Songer"] @@ -23,7 +23,7 @@ note = """## Triage and Analysis ### Investigating Microsoft Entra ID Elevated Access to User Access Administrator -This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. +This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Azure RBAC. This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a New Terms rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. ### Possible investigation steps @@ -61,12 +61,14 @@ This rule identifies when a user elevates their permissions to the "User Access references = [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs/", "https://permiso.io/blog/azures-apex-permissions-elevate-access-the-logs-security-teams-overlook", + "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/" ] -risk_score = 47 +risk_score = 73 rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" -severity = "medium" +severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", @@ -107,6 +109,6 @@ field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" From 598e311d36906d80d81c40baa4ea49c9427c5228 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 15 Sep 2025 11:48:26 -0400 Subject: [PATCH 5/6] revert changes --- ...re_global_administrator_role_assigned.toml | 50 ++++++++----------- 1 file changed, 21 insertions(+), 29 deletions(-) diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index d962988178b..4e7b23074b2 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,38 +2,39 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/01/15" [rule] author = ["Elastic"] description = """ -In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator -is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID +In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator +is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all -subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources. +subscriptions and their settings and resources. """ -from = "now-9m" -index = ["filebeat-*", "logs-azure.auditlogs*"] +from = "now-25m" +index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Global Administrator Role Assigned" +name = "Azure AD Global Administrator Role Assigned" note = """## Triage and analysis -### Investigating Microsoft Entra ID Global Administrator Role Assigned +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -Microsoft Entra ID's Global Administrator role grants comprehensive access to manage Microsoft Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. +### Investigating Azure AD Global Administrator Role Assigned + +Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. ### Possible investigation steps -- Review the Microsoft Entra ID audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name. +- Review the Azure audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name. - Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator". - Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event. - Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access. - Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered. - Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects. -- Correlate with Microsoft Entra ID sign-in logs to check for any unusual login patterns or failed login attempts associated with the user who assigned the role. -- Review the reported device to determine if it is a known and trusted device or if it raises any security concerns such as unexpected relationships with the source user. ### False positive analysis @@ -51,33 +52,24 @@ Microsoft Entra ID's Global Administrator role grants comprehensive access to ma - Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices. - Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles. - Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats. -""" + +## Setup + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", - "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/" ] risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and - azure.auditlogs.properties.category:RoleManagement and - azure.auditlogs.operation_name:"Add member to role" and - azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\"" +event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and +azure.auditlogs.operation_name:"Add member to role" and +azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\"" ''' From 9dfc03d34b680161651dae15c508cc5d92030f96 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 18 Sep 2025 09:54:44 -0400 Subject: [PATCH 6/6] Added operation name to query logic --- ...ation_entra_id_elevate_to_user_administrator_access.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 0b4a239bce0..90660c36cb0 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -81,8 +81,10 @@ type = "new_terms" query = ''' event.dataset: azure.auditlogs - and azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" - and event.outcome: "success" + and ( + azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" or + azure.auditlogs.properties.additional_details.value: "Microsoft.Authorization/elevateAccess/action" + ) and event.outcome: "success" '''